Streams/streams
Streams/streams
1
0
Fork 0
mirror of https://codeberg.org/streams/streams.git synced 2024-09-20 01:15:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'dev' of ../rebble.net into dev

Browse source
This commit is contained in:
Mike Macgirvin 2022-06-21 20:01:20 -07:00
commit be9bb9f04d
3 changed files with 16 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
Code/Lib/Account.php
View file

@ -703,5 +703,15 @@ class Account {
return $r;
}
static public function from_id($n) {
if (! intval($n)) {
return false;
}
$r = q(
"select * from account where account_id = %d limit 1",
intval($n)
);
return ($r) ? array_shift($r) : false;
}
}

52
Code/Web/Session.php
View file

@ -183,56 +183,4 @@ class Session
$arr = array('expire' => $xtime);
Hook::call('extend_cookie', $arr);
}
public function return_check()
{
// check a returning visitor against IP changes.
// If the change results in being blocked from re-entry with the current cookie
// nuke the session and logout.
// Returning at all indicates the session is still valid.
// first check if we're enforcing that sessions can't change IP address
// @todo what to do with IPv6 addresses
if ($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
$partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));
$partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));
$paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));
if (! $paranoia) {
$paranoia = intval(get_config('system', 'paranoia'));
}
switch ($paranoia) {
case 0:
// no IP checking
break;
case 2:
// check 2 octets
$partial1 = substr($partial1, 0, strrpos($partial1, '.'));
$partial2 = substr($partial2, 0, strrpos($partial2, '.'));
if ($partial1 == $partial2) {
break;
}
case 1:
// check 3 octets
if ($partial1 == $partial2) {
break;
}
case 3:
default:
// check any difference at all
logger('Session address changed. Paranoid setting in effect, blocking session. ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
$this->nuke();
goaway(z_root());
break;
}
}
return true;
}
}

16
include/auth.php
View file

@ -10,8 +10,9 @@
* Also provides a function for OpenID identiy matching.
*/
use Code\Lib\Libzot;
use Code\Lib\Account;
use Code\Lib\Channel;
use Code\Lib\Libzot;
use Code\Extend\Hook;
require_once('include/api_auth.php');
@ -261,15 +262,10 @@ if (
// already logged in user returning
if (x($_SESSION, 'uid') || x($_SESSION, 'account_id')) {
App::$session->return_check();
$r = q(
"select * from account where account_id = %d limit 1",
intval($_SESSION['account_id'])
);
if (($r) && (($r[0]['account_flags'] == ACCOUNT_OK) || ($r[0]['account_flags'] == ACCOUNT_UNVERIFIED))) {
App::$account = $r[0];
$r = Account::from_id($_SESSION['account_id']);
if (($r) && (($r['account_flags'] == ACCOUNT_OK) || ($r['account_flags'] == ACCOUNT_UNVERIFIED))) {
App::$account = $r;
$login_refresh = false;
if (! x($_SESSION, 'last_login_date')) {
$_SESSION['last_login_date'] = datetime_convert('UTC', 'UTC');
@ -280,7 +276,7 @@ if (
$login_refresh = true;
}
$ch = (($_SESSION['uid']) ? Channel::from_id($_SESSION['uid']) : null);
authenticate_success($r[0], false, $ch, false, false, $login_refresh);
authenticate_success(App::$account, false, $ch, false, false, $login_refresh);
} else {
$_SESSION['account_id'] = 0;
App::$session->nuke();